More

Toll hack shows government's dangerous lack of cyber leadership

For the past two months, public health systems around the world have battled to contain the outbreak of the novel coronavirus. While doctors treated individuals, governments worked on the public. Political leaders and health experts fronted public campaigns, raising awareness of the threat and spurring those at risk to act to protect themselves.

But in Australia, when faced with the threat of digital infection, our political leaders are silent.

Ransomware is malicious software with a business model. It works by exploiting vulnerabilities in an organisation’s IT system, then effectively locks its data with encryption that requires a complex numerical key to unlock.

In exchange for this key, victims are asked to pay a ransom — usually in the form of difficult-to-trace bitcoin. And some pay: last year, the small town of Lake City, Florida, paid hackers almost half a million dollars to regain access to its system.

Advertisement

According to the anti-malware company EmsiSoft, there were almost 1000 attacks on US government agencies, schools, colleges and healthcare providers last year alone. It was the year the US Department of Homeland Security formally warned the public of a “ransomware outbreak”.

These attacks are enormously disruptive, often taking IT systems offline for weeks. In August, ransomware simultaneously infected 22 Texan cities – one consequence was that police lost access to the computer systems in their patrol cars.

In May, extortionists hit Baltimore, crippling the city’s email, voicemail and its system for paying bills and property taxes — only a year ransomware had disrupted its 911 dispatch system.

This isn’t merely about disruption and lost profit. Vital services have been compromised.

Australia hasn’t been immune to this ransomware epidemic. Last year, a Victorian government regional health network fell victim, shutting down systems and delaying some surgeries.

Then, in late January, Toll — a global transport company based in Melbourne — lost the use of up to 1000 servers in a ransomware attack and was forced to implement manual processes across large parts of its business.

At the time of writing, its systems have still not fully recovered.

Advertisement

Despite this, it has been two years since anyone in the Australian government has even mentioned “ransomware” in parliament.

There’s been no public health-style campaign. No minister has faced the media, flanked by cyber security experts. No minster has been sounding the alarm internally about the poor cyber resilience of government networks that have been revealed in a series of audits going back five years.

Even as the government consults on its next cyber security strategy, there has been little public debate about the best way to respond to an epidemic like this – whether helping organisations to protect themselves is the best we can do, or whether more strategic interventions closer to the source of these attacks might help reduce the risk.

It’s not a coincidence that the last time that ransomware was mentioned in Parliament by a member of the government was when there was a minister with direct portfolio responsibility for cyber security.

Since Scott Morrison abolished this dedicated role, there has been no one to provide the public, or the government, with any leadership on the issue.

More than 10,000 people poured into the nation's capital on the ninth day of protests over police brutality, but what awaited them was a city that no longer felt as if it was being occupied by its own country's military.